CLAIMS 



1 1 . Method for controlling access by a requestor (7) to resources (2d) in a 

2 computer system (1) in which the requester is assigned one or more roles based on an access 

3 control list that defines the conditions for obtaining a right to a resource, characterized in that 

4 it consists of restricting the resources accessible for a given role to only part of the resources, 

5 by means of a validity domain of the role. 

1 2, Method according to claim 1, characterized in that it stores an additional piece 

2 of information relative to the need to consult the validity domain of the role in the access 

3 control list. 

© 3. Method according to claim 2, characterized in that it consults the additional 

t| information relative to the need to consult the validity domain of the role and verifies that the 

% resource in question belongs to the validity domain only if said information requires it. 

fi 4. Method according to claim 2, characterized in that it performs an access check 

L on two levels: 

ij "a first level on the type of the resource (2d); 

"a second level on the identifier of the resource (2d). 

1 5. Method according to claim 4, characterized in that it performs a first-level 

2 check verifying the existence of at least one entry of the access control list that satisfies the 

3 conditions for obtaining the requested right, and if the entry exists, the existence of a validity 

4 domain for said entry. 

1 6. Method according to claim 5, characterized in that it performs a second-level 

2 check verifying, if the requested permission contains a resource identifier, the existence of at 

3 least one configured permission corresponding to the requested permission, and the value of 

4 the additional information relative to the need to consult the validity domain. 
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7. Method according to any of claims 1 through 5, characterized in that it 
consists of grouping rights or resources into generic groups represented by special characters 
or keywords or other symbols. 



1 8. Device for controlling access by a requestor to resources (2d) in a computer 

2 system (1), characterized in that it comprises a management machine (2a) comprising an 

3 access control service, the RAC (6), and means for storing (10) roles, access control lists and 

4 validity domains 

1 9. Device for implementing the method according to any of claims 1 through 6. 

1 10, Software module for implementing the method according to any of claims 1 

5 through 6. 
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